Module 2 - Account Security

Question 1

What is AWS IAM?

Answer 1

AWS Identity & Access Management, a web service that helps you securely control access to AWS resources.

Question 2

What is an IAM user? How many can you have per AWS account?

Answer 2

An entity that allows people to sign in to the Management Console (or CLI) to make requests. These exist within one AWS account but each has its own credentials.

5000 users per account max.

Question 3

What do you need to access the Management Console or CLI?

Answer 3

A user with a username and password, and up to 2 access keys.

Question 4

How do you grant permissions to an IAM user? E.g. I need to give a dev access to a resource. How would I go about doing that?

Answer 4

• Make it a member of a user group that has appropriate permission policies attached. (This is the recommended method.)
• Attach policies to the user
• Clone the permissions of an existing IAM user, which automatically makes the new user a member of the same user groups and attaches all the same policies

Question 5

What is a security principal?

Answer 5

An entity that can request an action or operation on an AWS resource, e.g. IAM user. It can also be a service or an identity outside of AWS (such as Google login).

Question 6

What is a root user?

Answer 6

The user with complete access to services and resources. NOT for day-to-day operations. This account cannot be restricted.

Question 7

What is the principle of least privilege?

Answer 7

Grant users only the level of access they require and nothing more.

Question 8

How do you manage access in AWS, broadly?

Answer 8

You create policies and attach them to users, groups of users, roles, or to specific services.

Note: a group is not an identity itself and cannot be a principal in a policy.

Question 9

How are most policies stored in AWS? I.e. what format?

Answer 9

As JSON.

Question 10

What is a federated user?

Answer 10

An external identity that does not have an AWS account. You assign it a role to grant temporary access.

Question 11

When do you need an access key ID and secret access key?

Answer 11

When you need programmatic access, such as API calls or using the CLI. If you are just using the Management Console then you only need a username and password.

Question 12

Why might you use the AWS CLI?

Answer 12

You can control multiple AWS services from the command line and automate them through scripts.

Question 13

What is an IAM role?

Answer 13

A way to deliver temporary credentials. Users can assume a role without sharing credentials, and permissions are only valid when operating under that role. Like limited sudo access to AWS.

Commonly used to allow EC2 instances or Lambda to call services on your behalf.

Question 14

How do you assume an IAM role? How is access granted when you assume a role?

Answer 14

Use the console or CLI and use the AssumeRole API. This calls AWS Security Token Service (AWS STS) which provides a temporary access key ID, a secret access key, and a security token. Then you use those credentials to access resources.

Question 15

What are the different policy types? There are 4.

Answer 15

• Identity-based policies – users, groups, and roles.
• Resource-based policies – E.g. Amazon S3 bucket policies and IAM role trust policies.
• AWS Organizations Service Control Policies (SCPs) – define the maximum permissions for account members of an organization or organizational unit (OU).
• IAM permissions boundaries - set the maximum permissions that an IAM entity can receive.

Question 16

What is an identity-based policy?

Answer 16

A document that controls what actions a user can perform, on what resources, under what conditions.

Question 17

What kinds of identity-based policies are there?

Answer 17

Managed: standalone policies that you attach to multiple users/groups/roles, managed by AWS or the customer.

Inline: Policies that you add directly to a single user, group, or role. These maintain a strict one-to-one relationship between a policy and an identity.

Question 18

How does a resource-based policy work?

Answer 18

They grant the principal permission to do specific actions under specific circumstances. These are inline policies, never managed.

Question 19

What is AWS KMS?

Answer 19

AWS Key Management Service. The main purpose is to store and manage encryption keys that encrypt your data outside of AWS KMS.

Question 20

What is the difference between AWS KMS and secrets manager?

Answer 20

AWS Secrets Manager is an AWS service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext.
It’s designed especially to store application secrets, such as login credentials, that change periodically and should not be hard-coded or stored in plaintext in the application. In place of hard-coded credentials or table lookups, your application calls Secrets Manager.

Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted

Secrets Manager uses the plaintext data key and the Advanced Encryption Standard (AES) algorithm to encrypt the secret value outside of AWS KMS. It removes the plaintext key from memory as soon as possible after using it.

Question 21

Which is better, inline or customer-managed policy?

Answer 21

An inline policy is one that you create and embed directly to an IAM group, user, or role.

Inline policies can’t be reused on other identities or managed outside of the identity where they exist.

As a best practice, use customer-managed policies instead of inline policies.

Question 22

What is included in a policy? When you look at a policy JSON, what are the individual parts?

Answer 22

CARPE(S)

• Sid (statement ID, optional)
• Effect – Allow or Deny access.
• Principal (required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you want to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
• Action – a list of allowed actions
• Resource (required only in some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, the resource to which the action applies is the resource to which the policy is attached.
• Condition – Specify the circumstances.

Question 23

What does this policy do? 
{
"Effect":"Deny", 
"Action": [ 
"dynamodb:*",
"s3:*”
], 
"NotResource": 
[ "arn:aws:dynamodb:region:account-number-without-hyphens:table/EXAMPLE-TABLE", "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*”
] }

Answer 23

Denies access to any resource in Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB, except for three listed resources

Question 24

What does this policy do?
{
“Version”: “2012-10-17”,
“Statement”: [ {
“Effect”: “Allow”,
“Action”: [
“ec2:StartInstances”, “ec2:StopInstances”
],
“Resource”: “arn:aws:ec2:::instance/*”,
“Condition”: { “StringEquals”: {
“ec2:ResourceTag/Owner”: “${aws:username}” } } } ] }

Answer 24

Grants the user permission to start and stop instances, only if the EC2 owner tag matches the username of the entity making the call.

Question 25

What is the IAM Access Analyzer?

Answer 25

A service that identifies resources that are shared with external principals. You can use this to identify unintended access to your resources and data.

Question 26

How do permission boundaries work?

Answer 26

You can set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by BOTH its identity-based policies and its permissions boundaries.

Question 27

What is an IdP?

Answer 27

Identity Provider. Works like OAuth. You can configure your AWS accounts to integrate with your IdP using SAML.

Question 28

What is AWS SSO?

Answer 28

Single Sign-On: central access management and user permissions for:
• all AWS accounts
• third-party software as a service (SaaS), applications, applications integrated with AWS SSO
• custom applications that support SAML 2.0.

Question 29

Why would you use multiple AWS accounts?

Answer 29

• Improve security
• Limit impact in case of unauthorized access
• Simplify management to different environments

Question 30

How do you easily manage multiple AWS accounts?

Answer 30

AWS Organizations.

Question 31

What is an SCP?

Answer 31

Service Control Policy (Organization level). Like an IAM but it never grants permissions. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions.

Question 32

What is the difference between AWS Organizations and AWS Control Tower?

Answer 32

AWS Organizations enables you to manage your environment across multiple accounts centrally.
AWS Control Tower automates many of the steps required to build your environment and govern at scale

Question 33

IAM user groups can contain other groups. True or False?

Answer 33

False. IAM User Groups can contain only IAM Users.

Question 34

What is the consistency of IAM users? When you create a user, is it immediately available or eventually consistent?

Answer 34

Eventually consistent.

Question 35

What is the “scope” of an IAM user?

Answer 35

Global. Not limited to your region.

Question 36

What is the default setting of an IAM user?

Answer 36

You can log in, but you have access to nothing.

Question 37

What is the best practice for applying permissions to many users who perform the same job role?

Answer 37

Add the users to an IAM Group and apply a permissions policy to the group

Question 38

What kinds of MFA are available?

Answer 38

Virtual MFA device (google auth, Authy)
Universal 2nd Factor (U2F) physical key
3rd party key fob

Question 39

What is IAM Credentials Report?

Answer 39

Lists all your account users and the status of their credentials.

Question 40

What is IAM Access Advisor?

Answer 40

Shows service permissions granted to a user and when the user accessed a service last. (USER level, not account). This is a good place to review and revise policies.

Question 41

When you first download a file (like the key pair for SSHing into your EC2 instance), what is the permission setting?

Answer 41

644. That is too open for a security key. To change from CLI:

chmod 0400

Question 42

We need to give AWS Console access to developers. We must use identity federation and role-based access control. Currently, the roles are already assigned using groups in the corporate Active Directory.

What services can provide developers access to the AWS console? (Name TWO.)

Answer 42

IAM Roles (not IAM groups because they are not currently IAM users)

AWS Directory Service AD Connector (not Simple AD since you can’t manage user accounts and memberships with it)

Question 43

A Lambda function is storing sensitive database and API credentials. How can this information be secured to prevent other developers in the team, or anyone, from seeing these credentials in plain text? Select the best option that provides maximum security.

Answer 43

Create a new KMS key and use it to store and encrypt the sensitive information.

Lambda does encrypt env variables using KMS, but when the Lambda function is invoked it decrypts them and it is visible to the code (and therefore anyone with access to the Lambda console). You can use encryption helpers in KMS to keep things encrypted.

Question 44

We got DDoS attacked. What should we do?

Answer 44

AWS Shield Advanced.

Question 45

What is the best method to quickly and temporarily deny access from specified IP addresses outside the VPC?

Answer 45

Modify the NACL associated with public subnets to deny access from the specific IP block.